blob: 8abb7725942cf016f38ce8d3e7f1baee641eab43 [file] [log] [blame] [view] [raw]
.TH vzctl 8 "12 May 2011" "OpenVZ" "Containers"
.SH NAME
vzctl \- utility to control an OpenVZ container.
.SH SYNOPSIS
vzctl [\fIflags\fR] \fBcreate\fR \fICTID\fR
[\fB--ostemplate\fR \fIname\fR] [\fB--config\fR \fIname\fR]
[\fB--private\fR \fIpath\fR] [\fB--root\fR \fIpath\fR] [\fB--ipadd\fR \fIaddr\fR] [\fB--hostname\fR \fIname\fR]
.PP
vzctl [\fIflags\fR] \fBset\fR \fICTID\fR \fIparameters\fR [\fB--save\fR]
.PP
vzctl [\fIflags\fR] \fBdestroy\fR | \fBmount\fR | \fBumount\fR |
\fBstart\fR | \fBstop\fR | \fBrestart\fR |
\fBstatus\fR | \fBquotaon\fR | \fBquotaoff\fR | \fBquotainit\fR \fICTID\fR
.PP
vzctl [\fIflags\fR] \fBexec\fR | \fBexec2\fR \fICTID\fR
\fIcommand\fR [\fIarg\fR ...]
.PP
vzctl [\fIflags\fR] \fBenter\fR \fICTID\fR [\fB--exec \fIcommand\fR
[\fIarg\fR ...]]
.PP
vzctl [\fIflags\fR] \fBrunscript\fR \fICTID\fR \fIscript\fR
.PP
vzctl \fB--help\fR | \fB--version\fR
.SH DESCRIPTION
Utility \fBvzctl\fR runs on the host system (otherwise known as Hardware Node,
or HN) and performs direct manipulations with containers (CTs).
.PP
Containers can be referred to by either numeric \fICTID\fR or
by name (see \fB--name\fR option). Note that CT ID <= 100 are reserved for
OpenVZ internal purposes.
.SH OPTIONS
.SS Flags
These flags come before a command, and can be used with any command.
They affect logging to console (terminal) only, and do not affect logging
to a log file.
.IP \fB--quiet\fR 4
Disables output. Note that scripts run by vzctl are still able to produce
some output.
.IP \fB--verbose\fR 4
Increments logging level up from the default. Can be used multiple times.
Default value is set to the value of \fBVERBOSE\fR parameter in the global
configuration file \fBvz.conf\fR(5), or to \fB0\fR if not set by
\fBVERBOSE\fR parameter.
.SS Setting container parameters
.IP "\fBset\fR \fICTID\fR \fIparameters\fR [\fB--save\fR] [\fB--force\fR]" 4
This command sets various container parameters. If a \fB--save\fR flag is given,
parameters are saved in container configuration file \fBctid.conf\fR(5).
Use \fB--force\fR to save the parameters even if the current kernel
doesn't support OpenVZ.
If the container is currently running, \fBvzctl\fR applies these parameters
to the container.
The following parameters can be used with \fBset\fR command.
.TP
.B Miscellaneous
.TP
\fB--onboot\fR \fByes\fR | \fBno\fR
Sets whether the container will be started during system boot.
The container will not be auto-started unless this parameter
is set to \fByes\fR.
.TP
\fB--bootorder\fR \fInumber\fR
Sets the boot order priority for this CT. The higher the \fInumber\fR is,
the earlier in the boot process this container starts. By default this
parameter is unset, which is considered to be the lowest priority, so
containers with unset \fBbootorder\fR will start last.
.TP
\fB--root\fR \fIpath\fR
Sets the path to root directory for this container. This is essentially a mount
point for container's root directory. Argument can contain literal string
\fB$VEID\fR, which will be substituted with the numeric CT ID.
Changing this parameter is not recommended, better edit
\fBvz.conf\fR(5) global configuration file.
.TP
\fB--userpasswd\fR \fIuser\fR:\fIpassword\fR
Sets password for the given user in a container, creating the user if
it does not exists.
Note that this option is not saved in configuration file at all (so
\fB--save\fR flag is useless), it is applied to the container (by modifying its
\fB\f(CR/etc/passwd\fR and \fB\f(CR/etc/shadow\fR files).
In case container root filesystem is not mounted, it is automatically mounted,
then all the appropriate file changes are applied, then it is unmounted.
Note that container should be created before using this option.
.TP
\fB--disabled\fR \fByes\fR | \fBno\fR
Disable container start. To force the start of a disabled container,
use \fBvzctl start --force\fR.
.TP
\fB--name\fR \fIname\fR
Add a name for a container. The \fIname\fR can later be used in
subsequent calls to \fBvzctl\fR in place of \fICTID\fR.
.TP
\fB--description\fR \fIstring\fR
Add a textual description for a container.
.TP
\fB--setmode\fR \fBrestart\fR|\fBignore\fR
Whether to restart a container after applying parameters that require
the container to be restarted in order to take effect.
.TP
.B Networking
.TP
\fB--ipadd\fR \fIaddr\fR
Adds IP address to a given container. Note that this option is incremental, so
\fIaddr\fR are added to already existing ones.
.TP
\fB--ipdel\fR \fIaddr\fR | \fBall\fR
Removes IP address \fIaddr\fR from a container. If you want to remove all
the addresses, use \fB--ipdel all\fR.
.TP
\fB--hostname\fR \fIname\fR
Sets container hostname. \fBvzctl\fR writes it to the appropriate file inside a
container (distribution-dependent).
.TP
\fB--nameserver\fR \fIaddr\fR
Sets DNS server IP address for a container. If you want to set several
nameservers, you should do it at once, so use \fB--nameserver\fR option
multiple times in one call to \fBvzctl\fR, as all the name server values
set in previous calls to \fBvzctl\fR are overwritten.
.TP
\fB--searchdomain\fR \fIname\fR
Sets DNS search domains for a container. If you want to set several search
domains, you should do it at once, so use \fB--searchdomain\fR option
multiple times in one call to \fBvzctl\fR, as all the search domain values
set in previous calls to \fBvzctl\fR are overwritten.
.TP
\fB--netif_add\fR \fIifname[\fR,\fImac\fR,\fIhost_ifname\fR,\fIhost_mac\fR,\fIbridge]\fR
Adds a virtual Ethernet device (veth) to a given container. Here \fIifname\fR
is the Ethernet device name in the container, \fImac\fR is its MAC address,
\fIhost_ifname\fR is the Ethernet device name on the host, and
\fIhost_mac\fR is its MAC address. MAC addresses should be in the format
like XX:XX:XX:XX:XX:XX. \fIbridge\fR is an optional parameter which can be
used in custom network start scripts to automatically add the interface
to a bridge. All parameters except \fIifname\fR are optional
and are automatically generated if not specified.
.TP
\fB--netif_del\fR \fIdev_name\fR | \fBall\fR
Removes virtual Ethernet device from a container. If you want to remove all
devices, use \fBall\fR.
.TP
.B veth interface configuration
.PP
The following options can be used to reconfigure the already-created virtual
Ethernet interface. To select the interface to configure, use
\fB--ifname\fR \fIname\fR option.
.TP
\fB--mac\fR \fIXX:XX:XX:XX:XX:XX\fR
MAC address of interface inside a container.
.TP
\fB--host_ifname\fR \fIname\fR
interface name for virtual interface in the host system.
.TP
\fB--host_mac\fR \fIXX:XX:XX:XX:XX:XX\fR
MAC address of interface in the host system.
.TP
\fB--bridge\fR \fIname\fR
Bridge name. Custom network start scripts can use this value to automatically
add the interface to a bridge.
.TP
\fB--mac_filter\fR \fBon\fR | \fBoff\fR
Enables/disables MAC address filtering for the Container veth device and
the possibility of configuring the MAC address of this device from inside
the Container. If the filtering is turned on:
.br
\(bu the veth device accepts only those packets that have a MAC address in
their headers corresponding to that of this device (excluding all broadcast
and multicast packets);
.br
\(bu it is impossible to modify the veth MAC address from inside the Container.
By default, this functionality is enabled for all veth devices existing
inside the Container.
.TP
.B Resource limits
.PP
The following options sets barrier and limit for various user beancounters.
Each option requires one or two arguments. In case of one argument,
\fBvzctl\fR sets barrier and limit to the same value. In case of
two colon-separated arguments, the first is a barrier,
and the second is a limit. Each argument is either a number, a number
with a suffix, or a special value \fBunlimited\fR.
Arguments are in items, pages or bytes. Note that page size
is architecture-specific, it is 4096 bytes on x86 and x86_64 platforms.
You can also specify different suffixes for \fBset\fR parameters
(except for the parameters which names start with \fBnum\fR).
For example, \fBvzctl set\fR \fICTID\fR \fB--privvmpages 5M:6M\fR
should set \fBprivvmpages\fR' barrier to 5 megabytes and its limit
to 6 megabytes.
Available suffixes are:
.br
\fBg\fR, \fBG\fR -- gigabytes.
.br
\fBm\fR, \fBM\fR -- megabytes.
.br
\fBk\fR, \fBK\fR -- kilobytes.
.br
\fBp\fR, \fBP\fR -- pages (page is 4096 bytes on x86 architecture,
other architectures may differ).
You can also specify the literal word \fBunlimited\fR in place of a number.
In that case the corresponding value will be set to \fBLONG_MAX\fR, i. e.
the maximum possible value.
.TP
\fB--numproc\fR \fIitems\fR[:\fIitems\fR]
Maximum number of processes and kernel-level threads.
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--numtcpsock\fR \fIitems\fR[:\fIitems\fR]
Maximum number of TCP sockets. This parameter limits the number of TCP
connections and, thus, the number of clients the server application can
handle in parallel.
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--numothersock\fR \fIitems\fR[:\fIitems\fR]
Maximum number of non-TCP sockets (local sockets, UDP and other types
of sockets).
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--vmguarpages\fR \fIpages\fR[:\fIpages\fR]
Memory allocation guarantee. This parameter controls how much memory is
available to a container. The barrier is the amount
of memory that container's applications are guaranteed to be able to allocate.
The meaning of the limit is currently unspecified; it should be set to
\fBunlimited\fR.
.TP
\fB--kmemsize\fR \fIbytes\fR[:\fIbytes\fR]
Maximum amount of kernel memory used. This parameter is related to
\fB--numproc\fR. Each process consumes certain amount of kernel memory -
16 KB at least, 30-50 KB typically. Very large processes may consume
a bit more. It is important to have a certain safety gap between the
barrier and the limit of this parameter: equal barrier and limit may
lead to the situation where the kernel will need to kill container's
applications to keep the \fBkmemsize\fR usage under the limit.
.TP
\fB--tcpsndbuf\fR \fIbytes\fR[:\fIbytes\fR]
Maximum size of TCP send buffers.
Barrier should be not less than 64 KB, and difference between
barrier and limit should be equal to or more than value of
\fBnumtcpsock\fR multiplied by 2.5 KB.
.TP
\fB--tcprcvbuf\fR \fIbytes\fR[:\fIbytes\fR]
Maximum size of TCP receive buffers.
Barrier should be not less than 64 KB, and difference between
barrier and limit should be equal to or more than value of
\fBnumtcpsock\fR multiplied by 2.5 KB.
.TP
\fB--othersockbuf\fR \fIbytes\fR[:\fIbytes\fR]
Maximum size of other (non-TCP) socket send buffers. If container's processes
needs to send very large datagrams, the barrier should be set accordingly.
Increased limit is necessary for high performance of communications through
local (UNIX-domain) sockets.
.TP
\fB--dgramrcvbuf\fR \fIbytes\fR[:\fIbytes\fR]
Maximum size of other (non-TCP) socket receive buffers. If container's
processes needs to receive very large datagrams, the barrier should be set
accordingly. The difference between the barrier and the limit is not needed.
.TP
\fB--oomguarpages\fR \fIpages\fR[:\fIpages\fR]
Guarantees against OOM kill. Under this beancounter the kernel accounts the
total amount of memory and swap space used by the container's processes.
The barrier of this parameter is the out-of-memory guarantee. If the
\fBoomguarpages\fR usage is below the barrier, processes of this container
are guaranteed not to be killed in out-of-memory situations.
The meaning of limit is currently unspecified; it should be set to
\fBunlimited\fR.
.TP
\fB--lockedpages\fR \fIpages\fR[:\fIpages\fR]
Maximum number of pages acquired by \fBmlock\fR(2).
.TP
\fB--privvmpages\fR \fIpages\fR[:\fIpages\fR]
Allows controlling the amount of memory allocated by the applications.
For shared (mapped as \fBMAP_SHARED\fR) pages, each container really using
a memory page is charged for the fraction of the page (depending on the
number of others using it). For "potentially private" pages (mapped as
\fBMAP_PRIVATE\fR), container is charged either for a fraction of the size
or for the full size if the allocated address space. In the latter case,
the physical pages associated with the allocated address space may be
in memory, in swap or not physically allocated yet.
The barrier and the limit of this parameter
control the upper boundary of the total size of allocated memory. Note that
this upper boundary does not guarantee that container will be able
to allocate that much memory. The primary mechanism to control memory
allocation is the \fB--vmguarpages\fR guarantee.
.TP
\fB--shmpages\fR \fIpages\fR[:\fIpages\fR]
Maximum IPC SHM segment size.
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--numfile\fR \fIitems\fR[:\fIitems\fR]
Maximum number of open files. In most cases the barrier and the limit
should be set to the same value. Setting the barrier to \fB0\fR effectively
disables pre-charging optimization for this beancounter in the kernel,
which leads to the held value being precise but could slightly degrade
file open performance.
.TP
\fB--numflock\fR \fIitems\fR[:\fIitems\fR]
Maximum number of file locks. Safety gap should be between barrier and limit.
.TP
\fB--numpty\fR \fIitems\fR[:\fIitems\fR]
Number of pseudo-terminals (PTY). Note that in OpenVZ each container can have
not more than 255 PTYs. Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--numsiginfo\fR \fIitems\fR[:\fIitems\fR]
Number of siginfo structures.
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--dcachesize\fR \fIbytes\fR[:\fIbytes\fR]
Maximum size of filesystem-related caches, such as directory entry
and inode caches. Exists as a separate parameter to impose a limit
causing file operations to sense memory shortage and return an errno
to applications, protecting from memory shortages during critical
operations that should not fail.
Safety gap should be between barrier and limit.
.TP
\fB--numiptent\fR \fInum\fR[:\fInum\fR]
Number of iptables (netfilter) entries.
Setting the barrier and
the limit to different values does not make practical sense.
.TP
\fB--physpages\fR \fIpages\fR[:\fIpages\fR]
This is currently an accounting-only parameter. It shows the usage of RAM
by this container. Barrier should be set to 0, and limit should be set to
\fBunlimited\fR.
.TP
\fB--swappages\fR \fIpages\fR[:\fIpages\fR]
The limit, if set, is used to show a total amount of swap space available
inside the container. The barrier of this parameter is currently ignored.
The default value is \fBunlimited\fR, meaning total swap will be reported
as 0.
Note that in order for the value to be shown as total swap space,
\fB--meminfo\fR parameter should be set to value other than \fBnone\fR.
.TP
.B CPU fair scheduler parameters
.PP
These parameters control CPU usage by container.
.TP
\fB--cpuunits\fR \fInum\fR
CPU weight for a container. Argument is positive non-zero number, passed to
and used in the kernel fair scheduler. The larger the number is, the more
CPU time this container gets. Maximum value is 500000, minimal is 8.
Number is relative to weights of all the other running containers.
If \fBcpuunits\fR are not specified, default value of 1000 is used.
You can set CPU weight for CT0 (host system itself) as well
(use \fBvzctl set 0 --cpuunits \fInum\fR). Usually, OpenVZ initscript
(\fB/etc/init.d/vz\fR) takes care of setting this.
.TP
\fB--cpulimit\fR \fInum\fR[\fB%\fR]
Limit of CPU usage for the container, in per cent.
Note if the computer has 2 CPUs, it has total of 200% CPU time. Default CPU
limit is \fB0\fR (no CPU limit).
.TP
\fB--cpus\fR \fInum\fR
sets number of CPUs available in the container.
.TP
\fB--cpumask\fR \fIcpus\fR | \fBall\fR
sets list of allowed CPUs for the container.
Input format is a comma-separated list of decimal numbers and ranges.
Consecutively set bits are shown as two hyphen-separated decimal numbers,
the smallest and largest bit numbers set in the range.
For example, if you want the container to execute on CPUs 0, 1, 2, 7,
you should pass \fB0-2,7\fR.
Default value is \fBall\fR (the container can execute on any CPU).
.TP
.B Memory output parameters
.PP
This parameter control output of /proc/meminfo inside a container.
.TP
\fB--meminfo\fR \fBnone\fR
No /proc/meminfo virtualization (the same as on host system).
.TP
\fB--meminfo\fR \fImode\fR:\fIvalue\fR
Configure total memory output in a container. Reported free memory is evaluated
accordingly to the mode being set. Reported swap is evaluated
according to the settings of \fB--swappages\fR parameter.
You can use the following modes for \fImode\fR:
.br
\(bu \fBpages\fR:\fIvalue\fR - sets total memory in pages;
.br
\(bu \fBprivvmpages\fR:\fIvalue\fR - sets total memory as
\fBprivvmpages\fR * \fIvalue\fR.
Default is \fBprivvmpages:1\fR.
.TP
.B iptables control parameters
.TP
\fB--iptables\fR \fIname\fR
Allow to use the functionality of \fIname\fR iptables module inside
the container. To specify multiple \fIname\fRs, repeat --iptables
for each, or use space-separated list as an argument
(enclosed in single or double quotes to protect spaces).
The default list of enabled iptables modules is specified
by the \fBIPTABLES\fR variable in \fBvz.conf\fR(5).
You can use the following values for \fIname\fR:
\fBiptable_filter\fR, \fBiptable_mangle\fR, \fBipt_limit\fR,
\fBipt_multiport\fR, \fBipt_tos\fR, \fBipt_TOS\fR, \fBipt_REJECT\fR,
\fBipt_TCPMSS\fR, \fBipt_tcpmss\fR, \fBipt_ttl\fR, \fBipt_LOG\fR,
\fBipt_length\fR, \fBip_conntrack\fR, \fBip_conntrack_ftp\fR,
\fBip_conntrack_irc\fR, \fBipt_conntrack\fR, \fBipt_state\fR,
\fBipt_helper\fR, \fBiptable_nat\fR, \fBip_nat_ftp\fR, \fBip_nat_irc\fR,
\fBipt_REDIRECT\fR, \fBxt_mac\fR, \fBipt_recent\fR, \fBipt_owner\fR.
.TP
.B Network devices control parameters
.TP
\fB--netdev_add\fR \fIname\fR
move network device from the host system to a specified container
.TP
\fB--netdev_del\fR \fIname\fR
delete network device from a specified container
.TP
.B Disk quota parameters
.TP
\fB--diskquota\fR \fByes\fR | \fBno\fR
allows to enable or disable disk quota for a container. By default,
a global value (\fBDISK_QUOTA\fR) from \fBvz.conf\fR(5) is used.
.TP
\fB--diskspace\fR \fInum\fR[:\fInum\fR]
sets soft and hard disk quota limits, in blocks. First parameter is soft limit,
second is hard limit. One block is currently equal to 1Kb.
Suffixes \fBG\fR, \fBM\fR, \fBK\fR can also be specified
(see \fBResource limits\fR section for more info on suffixes).
.TP
\fB--diskinodes\fR \fInum\fR[:\fInum\fR]
sets soft and hard disk quota limits, in i-nodes. First parameter is
soft limit, second is hard limit.
.TP
\fB--quotatime\fR \fIseconds\fR
sets quota grace period. Container is permitted to exceed its soft limits
for the grace period, but once it has expired, the soft limit is enforced
as a hard limit.
.TP
\fB--quotaugidlimit\fR \fInum\fR
sets maximum number of user/group IDs in a container for which disk quota inside
the container will be accounted. If this value is set to \fB0\fR, user and group
quotas inside the container will not be accounted.
Note that if you have previously set value of this parameter to \fB0\fR,
changing it while the container is running will not take effect.
.TP
.B Mount option
.TP
\fB--noatime\fR \fByes\fR | \fBno\fR
Sets noatime flag (do not update inode access times) on filesystem.
.TP
.B Capability option
.TP
\fB--capability\fR \fIcapname\fR:\fBon\fR|\fBoff\fR
Sets a capability for a container. Note that setting capability when
the container is running does not take immediate effect; restart the container
in order for the changes to take effect. Note a container has default set
of capabilities, thus any operation on capabilities is "logical and"
with the default capability mask.
You can use the following values for \fIcapname\fR:
\fBchown\fR, \fBdac_override\fR, \fBdac_read_search\fR, \fBfowner\fR,
\fBfsetid\fR, \fBkill\fR, \fBsetgid\fR, \fBsetuid\fR,
\fBsetpcap\fR, \fBlinux_immutable\fR, \fBnet_bind_service\fR,
\fBnet_broadcast\fR, \fBnet_admin\fR, \fBnet_raw\fR,
\fBipc_lock\fR, \fBipc_owner\fR, \fBsys_module\fR, \fBsys_rawio\fR,
\fBsys_chroot\fR, \fBsys_ptrace\fR, \fBsys_pacct\fR,
\fBsys_admin\fR, \fBsys_boot\fR, \fBsys_nice\fR, \fBsys_resource\fR,
\fBsys_time\fR, \fBsys_tty_config\fR, \fBmknod\fR, \fBlease\fR,
\fBsetveid\fR, \fBve_admin\fR. For detailed description, see
.BR capabilities (7).
\fBWARNING\fR: setting some of those capabilities may have far reaching security
implications, so do not do it unless you know what you are doing. Also note
that setting \fBsetpcap:on\fR for a container will most probably lead to
inability to start it.
.TP
.B Device access management
.TP
\fB--devnodes\fR \fIdevice\fR:[\fBr\fR][\fBw\fR][\fBq\fR]|\fBnone\fR
Give the container an access (\fBr\fR - read, \fBw\fR - write,
\fBq\fR - disk quota management, \fBnone\fR - no access)
to a device designated by the special file /dev/\fIdevice\fR. Device file
is created in a container by \fBvzctl\fR. Example:
\fBvzctl set 777 --devnodes sdb:rwq\fR.
.TP
\fB--devices\fR \fBb\fR|\fBc\fR:\fImajor\fR:\fIminor\fR|\fBall\fR:[\fBr\fR][\fBw\fR][\fBq\fR]|\fBnone\fR
Give the container an access to a \fBb\fRlock or \fBc\fRharacter device
designated by its \fImajor\fR and \fIminor\fR numbers. Device file have to be created manually.
.TP
.B PCI device management
.TP
\fB--pci_add\fR [\fIdomain\fR:]\fIbus\fR:\fIslot\fR.\fIfunc\fR
Give the container an access to a specified PCI device. All numbers are
hexadecimal (as printed by \fBlspci\fR(8) in the first column).
.TP
\fB--pci_del\fR [\fIdomain\fR:]\fIbus\fR:\fIslot\fR.\fIfunc\fR
Delete a PCI device from the container.
Note that \fBvps-pci\fR configuration script is executed by \fBvzctl\fR
then configuring PCI devices. The script is usually located at
\fB/usr/lib[64]/vzctl/scripts/\fR.
.TP
.B Features management
.TP
\fB--features\fR \fIname\fR:\fBon\fR|\fBoff\fR
Enable or disable a specific container feature.
Known features are: \fBsysfs\fR, \fBnfs\fR, \fBsit\fR, \fBipip\fR, \fBppp\fR,
\fBipgre\fR, \fBbridge\fR, \fBnfsd\fR.
.TP
.B Apply config
.TP
\fB--applyconfig\fR \fIname\fR
Read container parameters from the container sample configuration file
\fB\f(CW/etc/vz/conf/ve-\fIname\fR\fB\f(CW.conf-sample\fR, and
apply them, if \fB--save\fR option specified save to the container config file.
The following parameters are not changed: \fBHOSTNAME\fR, \fBIP_ADDRESS\fR,
\fBOSTEMPLATE\fR, \fBVE_ROOT\fR, and \fBVE_PRIVATE\fR.
.TP
\fB--applyconfig_map\fR \fIgroup\fR
Apply container config parameters selected by \fIgroup\fR. Now the only
possible value for \fIgroup\fR is \fBname\fR:
to restore container name based on \fBNAME\fR
variable in container configuration file.
.TP
.B I/O priority management
.TP
\fB--ioprio\fR \fIpriority\fR
Assigns I/O priority to container. \fIPriority\fR range is \fB0-7\fR.
The greater \fIpriority\fR is, the more time for I/O activity container has.
By default each container has \fIpriority\fR of \fB4\fR.
.SS Checkpointing and restore
Checkpointing is a feature of OpenVZ kernel which allows to save a complete
state of a running container, and to restore it later.
.TP 4
\fBchkpnt\fR \fICTID\fR [\fB--dumpfile\fR \fIname\fR]
This command saves a complete state of a running container to a dump file,
and stops the container. If an option \fB--dumpfile\fR is not set, default
dump file name \fB/vz/dump/Dump.\fICTID\fR is used.
.TP 4
\fBrestore\fR \fICTID\fR [\fB--dumpfile\fR \fIname\fR]
This command restores a container from the dump file created by the
\fBchkpnt\fR command.
.SS Performing container actions
.IP "\fBcreate\fR \fICTID\fR [\fB--ostemplate\fR \fIname\fR] [\fB--config\fR \fIname\fR] [\fB--private\fR \fIpath\fR] [\fB--root\fR \fIpath\fR] [\fB--ipadd\fR \fIaddr\fR] [\fB--hostname\fR \fIname\fR]" 4
Creates a new container area. This operation should be done once, before
the first start of the container.
If the \fB--config\fR option is specified, values from
example configuration file
\f(CW\fB/etc/vz/conf/ve-\fIname\fR\f(CW\fB.conf-sample\fR
are put into the container configuration file. If this container configuration
file already exists, it will be removed.
You can use \fB--root\fR \fIpath\fR option to sets the path to the mount
point for the container root directory (default is \fBVE_ROOT\fR specified in
\fBvz.conf\fR(5) file). Argument can contain literal string \fB$VEID\fR,
which will be substituted with the numeric CT ID.
You can use \fB--private\fR \fIpath\fR option to set the path to directory
in which all the files and directories specific to this very container
are stored (default is \fBVE_PRIVATE\fR specified in \fBvz.conf\fR(5) file).
Argument can contain literal string \fB$VEID\fR, which will be substituted with
the numeric CT ID.
You can use \fB--ipadd\fR \fIaddr\fR option to assign an IP address to
a container. Note that this option can be used multiple times.
You can use \fB--hostname\fR \fIname\fR option to set a host name for
a container.
.IP "\fBdestroy\fR | \fBdelete\fR" 4
Removes a container private area by deleting all files, directories and
the configuration file of this container.
.IP "\fBstart\fR [\fB--wait\fR] [\fB--force\fR]" 4
Mounts (if necessary) and starts a container. Unless \fB--wait\fR option
is specified, \fBvzctl\fR will return immediately; otherwise an attempt to
wait till the default runlevel is reached will be made by \fBvzctl\fR.
Specify \fB--force\fR if you want to start a container which is disabled
(see \fB--disabled\fR).
Note that this command can lead to execution of \fBpremount\fR, \fBmount\fR
and \fBstart\fR action scripts (see \fBACTION SCRIPTS\fR below).
.IP "\fBstop\fR [\fB--fast\fR]" 4
Stops and unmounts a container. Normally, \fBhalt\fR(8) is executed
inside a container; option \fB--fast\fR makes \fBvzctl\fR use
\fBreboot\fR(2) syscall instead which is faster but can lead to
unclean container shutdown.
Note that this command can lead to execution of \fBstop\fR,
\fBumount\fR and \fBpostumount\fR action scripts
(see \fBACTION SCRIPTS\fR below).
.IP \fBrestart\fR 4
Restarts a container, i.e. stops it if it is running, and starts again.
Accepts all the \fBstart\fR and \fBstop\fR options.
Note that this command can lead to execution of some action scripts
(see \fBACTION SCRIPTS\fR below).
.IP \fBstatus\fR 4
Shows a container status. This is a line with five or six words,
separated by spaces.
First word is literally \fBCTID\fR.
Second word is the numeric \fICT ID\fR.
Third word is showing whether this container exists or not,
it can be either \fBexist\fR or \fBdeleted\fR.
Fourth word is showing the status of the container filesystem,
it can be either \fBmounted\fR or \fBunmounted\fR.
Fifth word shows if the container is running,
it can be either \fBrunning\fR or \fBdown\fR.
Sixth word, if exists, is \fBsuspended\fR. It appears if both a container
and its dump file exist (see \fBchkpnt\fR).
This command can also be usable from scripts.
.IP \fBmount\fR 4
Mounts container private area. Note that this command can lead
to execution of \fBpremount\fR and \fBmount\fR action scripts
(see \fBACTION SCRIPTS\fR below).
.IP \fBumount\fR 4
Unmounts container private area. Note that this command can lead
to execution of \fBumount\fR and \fBpostumount\fR action scripts
(see \fBACTION SCRIPTS\fR below).
Note that \fBstop\fR does \fBumount\fR automatically.
.IP "\fBquotaon\fR \fIctid\fR" 4
Turn disk quota on. Not that \fBmount\fR and \fBstart\fR does that
automatically.
.IP "\fBquotaoff\fR \fIctid\fR" 4
Turn disk quota off. Not that \fBumount\fR and \fBstop\fR
does that automatically.
.IP "\fBquotainit\fR \fIctid\fR" 4
Initialize disk quota (i.e. run \fBvzquota init\fR) with the parameters
taken from the CT configuration file \fBctid.conf\fR(5).
.IP "\fBexec\fR \fICTID\fR \fIcommand\fR" 4
Executes \fIcommand\fR in a container. Environment variables are not set
inside the container.
Signal handlers may differ from default settings. If \fIcommand\fR is \fB-\fR,
commands are read from stdin.
.IP "\fBexec2\fR \fICTID\fR \fIcommand\fR" 4
The same as \fBexec\fR, but return code is that of \fIcommand\fR.
.IP "\fBrunscript\fR \fICTID\fR \fIscript\fR" 4
Run specified shell script in the container. Argument \fIscript\fR is a file
on the host system which contents is read by vzctl and executed in the
context of the container. For a running container, the command jumps
into the container and executes the script. For a stopped container, it
enters the container, mounts container's root filesystem, executes the
script, and unmounts CT root. In the latter case, the container is not
really started, no file systems other than root (such as \fB/proc\fR)
are mounted, no startup scripts are executed etc. Thus the environment
in which the script is running is far from normal and is only usable for
very basic operations.
.IP "\fBenter\fR [\fB--exec \fIcommand\fR [\fIarg\fR ...]]" 4
Enters into a container (giving a container's root shell). This option
is a back-door for host root only. The proper way to have CT root shell
is to use \fBssh\fR(1).
Option \fB--exec\fR is used to run \fIcommand\fR with arguments
after entering into container. This is useful if command to be run
requires a terminal (so \fBvzctl exec\fR can not be used) and for
some reason you can not use \fBssh\fR(1).
You need to log out manually from the shell to finish session
(even if you specified \fB--exec\fR).
.SS Other options
.IP \fB--help\fR 4
Prints help message with a brief list of possible options.
.IP \fB--version\fR 4
Prints \fBvzctl\fR version.
.SH ACTION SCRIPTS
\fBvzctl\fR has an ability to execute user-defined scripts when
a specific \fBvzctl\fR command is run for a container. The following
\fBvzctl\fR commands can trigger execution of action scripts:
\fBstart\fR, \fBstop\fR, \fBrestart\fR, \fBmount\fR and \fBumount\fR.
Action scripts are located in the \fB/etc/vz/conf/\fR directory. There
are global and per-CT scripts. Global scripts have a literal prefix of
\fBvps.\fR and are executed for all containers. Per-CT scripts have
a \fICTID\fR numeric prefix and are executed for the given container
only.
There are 8 action scripts currently defined:
.IP "\fBvps.premount\fR, \fICTID\fB.premount\fR"
Global and per-CT mount scripts which are executed for a
container before it is mounted. Scripts are executed in the host OS
context, while a CT is not yet mounted or running. Global script,
if exists, is executed first.
.IP "\fBvps.mount\fR, \fICTID\fB.mount\fR"
Global and per-CT mount scripts which are executed for a
container right after it is mounted. Otherwise they are the same
as \fB.premount\fR scripts.
.IP \fICTID\fB.start\fR
Right after \fBvzctl\fR has started a container, it executes this script
in a container context.
.IP \fICTID\fB.stop\fR
Right before \fBvzctl\fR has stopped a container, it executes this script
in a container context.
.IP "\fBvps.umount\fR, \fICTID\fB.umount\fR"
Global and per-CT umount scripts which are executed for a
container before it is unmounted. Scripts are executed
in the host OS context, while a CT is mounted. Global script,
if exists, is executed first.
.IP "\fBvps.postumount\fR, \fICTID\fB.postumount\fR"
Global and per-CT umount scripts which are executed for a
container right after it is unmounted. Otherwise they are the same
as \fB.umount\fR scripts.
The environment passed to all the \fB*mount\fR scripts is the standard
environment of the parent (i.e. \fBvzctl\fR) with two additional
variables: \fB$VEID\fR and \fB$VE_CONFFILE\fR. The first one holds
the ID of the container, and the second one holds the full path
to the container configuration file. If the script needs to get other
CT configuration parameters, such as \fB$VE_ROOT\fR, it needs to get
those from global and per-CT configuration files.
Here is an example of a mount script, which makes host system's
/mnt/disk available to container(s). Script name can either be
\fB/etc/vz/conf/vps.mount\fR or \fB/etc/vz/conf/\fICTID\fB.mount\fR.
.nf
.ps -1
.ft CR
# If one of these files does not exist then something
# is really broken
[ -f /etc/sysconfig/vz ] || exit 1
[ -f $VE_CONFFILE ] || exit 1
# Source both files. Note the order is important.
. /etc/vz/vz.conf
. $VE_CONFFILE
mount -n --bind /mnt/disk $VE_ROOT/mnt/disk
.ft
.fi
.SH EXIT STATUS
Returns 0 upon success, or an appropriate error code in case of an error:
.IP 1
Failed to set a UBC parameter
.IP 2
Failed to set a fair scheduler parameter
.IP 3
Generic system error
.IP 5
The running kernel is not an OpenVZ kernel (or some OpenVZ modules are not loaded)
.IP 6
Not enough system resources
.IP 7
\fBENV_CREATE\fR ioctl failed
.IP 8
Command executed by \fBvzctl exec\fR returned non-zero exit code
.IP 9
Container is locked by another \fBvzctl\fR invocation
.IP 10
Global OpenVZ configuration file \fBvz.conf\fR(5) not found
.IP 11
A vzctl helper script file not found
.IP 12
Permission denied
.IP 13
Capability setting failed
.IP 14
Container configuration file \fBctid.conf\fR(5) not found
.IP 15
Timeout on \fBvzctl exec\fR
.IP 16
Error during \fBvzctl chkpnt\fR
.IP 17
Error during \fBvzctl restore\fR
.IP 18
Error from \fBsetluid()\fR syscall
.IP 20
Invalid command line parameter
.IP 21
Invalid value for command line parameter
.IP 22
Container root directory (\fBVE_ROOT\fR) not set
.IP 23
Container private directory (\fBVE_PRIVATE\fR) not set
.IP 24
Container template directory (\fBTEMPLATE\fR) not set
.IP 28
Not all required UBC parameters are set, unable to start container
.IP 29
OS template is not specified, unable to create container
.IP 31
Container not running
.IP 32
Container already running
.IP 33
Unable to stop container
.IP 34
Unable to add IP address to container
.IP 40
Container not mounted
.IP 41
Container already mounted
.IP 43
Container private area not found
.IP 44
Container private area already exists
.IP 46
Not enough disk space
.IP 47
Bad/broken container (\fB/sbin/init\fR or \fB/bin/sh\fR not found)
.IP 48
Unable to create a new container private area
.IP 49
Unable to create a new container root area
.IP 50
Unable to mount container
.IP 51
Unable to unmount container
.IP 52
Unable to delete a container
.IP 53
Container private area not exist
.IP 60
\fBvzquota on\fR failed
.IP 61
\fBvzquota init\fR failed
.IP 62
\fBvzquota setlimit\fR failed
.IP 63
Parameter \fBDISKSPACE\fR not set
.IP 64
Parameter \fBDISKINODES\fR not set
.IP 66
\fBvzquota off\fR failed
.IP 67
ugid quota not initialized
.IP 71
Incorrect IP address format
.IP 74
Error changing password
.IP 78
IP address already in use
.IP 79
Container action script returned an error
.IP 82
Config file copying error
.IP 86
Error setting devices (\fB--devices\fR or \fB--devnodes\fR)
.IP 89
IP address not available
.IP 91
OS template not found
.IP 100
Unable to find container IP address
.IP 104
\fBVE_NETDEV\fR ioctl error
.IP 105
Container start disabled
.IP 106
Unable to set iptables on a running container
.IP 107
Distribution-specific configuration file not found
.IP 109
Unable to apply a config
.IP 129
Unable to set meminfo parameter
.IP 130
Error setting veth interface
.IP 131
Error setting container name
.IP 133
Waiting for container start failed
.IP 139
Error saving container configuration file
.IP 148
Error setting container IO parameters (ioprio)
.SH EXAMPLES
To create and start "basic" container with ID of 1000 using
\fBcentos-5\fR OS template and IP address of 192.168.10.200:
.br
\f(CR vzctl create 1000 --ostemplate centos-5 --config basic
.br
\f(CR vzctl set 1000 --ipadd 192.168.10.200 --save
.br
\f(CR vzctl start 1000
\fR
.P
To set number of processes barrier/limit to 80/100, and
PTY barrier/limit to 16/20 PTYs:
.br
\f(CR vzctl set 1000 --numproc 80:100 -t 16:20 --save
\fR
.P
To execute command \fBls -la\fR in this container:
.br
\f(CR vzctl exec 1000 /bin/ls -la
\fR
.P
To execute command pipe \fBls -l / | sort\fR in this container:
.br
\f(CR vzctl exec 1000 'ls -l / | sort'
\fR
.P
To enter this container and execute command \fBapt-get install vim\fR:
.br
\f(CR vzctl enter 1000 --exec apt-get install vim
\fR
.P
Note that in the above example you will need to log out from the
container's shell after apt-get finishes.
.P
To enter this container, execute command \fBapt-get install vim\fR and
logout after successful installation (or stay inside the container
if installation process failed) use \fB&&\fR:
.br
\f(CR vzctl enter 1000 --exec "apt-get install vim && logout"
\fR
.P
To enter this container, execute command \fBapt-get install vim\fR and logout
independently of exit code of installation process use \fB;\fR:
.br
\f(CR vzctl enter 1000 --exec "apt-get install vim ; logout"
\fR
.P
Note that you need to quote the command if you use \fB&&\fR or \fB;\fR.
.P
To stop this container:
.br
\f(CR vzctl stop 1000
\fR
.P
To permanently remove this container:
.br
\f(CR vzctl destroy 1000
\fR
.SH FILES
.ad l
\fB\f(CR/etc/vz/vz.conf
.br
/etc/vz/conf/\fICTID\fB\f(CR.conf
.br
/etc/vz/conf/vps.{premount,mount,umount,postumount}
.br
/etc/vz/conf/\fICTID\fB\f(CR.{premount,mount,start,stop,umount,postumount}
.br
/proc/vz/veinfo
.br
/proc/vz/vzquota
.br
/proc/user_beancounters
.br
/proc/bc/*
.br
/proc/fairsched\fR
.SH SEE ALSO
.BR vz.conf (5),
.BR ctid.conf (5),
.BR arpsend (8),
.BR vzcalc (8),
.BR vzcfgvalidate (8),
.BR vzcpucheck (8),
.BR vzifup-post (8),
.BR vzlist (8),
.BR vzmemcheck (8),
.BR vzmigrate (8),
.BR vzpid (8),
.BR vzquota (8),
.BR vzsplit (8),
.BR http://wiki.openvz.org/UBC .
.SH LICENSE
Copyright (C) 2000-2011, Parallels, Inc. Licensed under GNU GPL.